Reference: Violation Protection

Violations are rated by the WAF algorithms to help distinguish between attacks and potential false positive alerts. A violation rating is a numerical rating that security algorithms assign to the requests based on the presence of violation(s). Each violation type and severity contributes to the calculation of the final rating. The final rating then defines the action taken for the specific request. As per the WAF policy template, any violation rating of 1, 2 and 3 will not cause the request to be blocked and only a log will be generated with alerted status. If the violation rating is 4 or 5, the request is blocked: a blocking page is displayed, and a log generated for the transaction with blocked status. Violation ratings are displayed in the logs by default.

Violation Rating

To simplify the task of identifying false positives, each transaction with one or more violations has a violation rating associated with it. The violation rating ranks the transaction from 1 to 5, where 5 indicates the highest probability of a real attack with high severity risk to your application.

WAF assigns the violation rating by assessing the combination of violations occurring in a transaction. The violation rating is assigned to the transaction as a whole rather than the individual violations in the request. This is because real attacks often include multiple violations within one transaction. The violation rating takes into consideration the impact of the violations. You can review requests with low violation ratings and if they are false positives you can accept the request to adopt the learning suggestions for the security policy.

This table explains how to interpret the violation ratings:

Rating Description
5 Request is most likely a threat. Consider clearing any learning suggestions associated with it.
4 Request is likely a threat but requires further examination before clearing the suggestion.
3 Request needs further examination.
2 Request looks like a false positive but requires further examination.
1 Request is most likely a false positive. If so, consider accepting learning suggestions to add this to the security policy.

Types of violations

The following lists the violations available in your Web Application Firewall (WAF) policy. Whether the violations are enabled or disabled depends on your selected WAF policy template. See the table below for the types of violations provided and whether your policy template, by default, enables protection against the violation.

HTTP RFC Violation Protection

For management see HTTP Protocol Compliance Protection

HTTP RFC Violation Description Rating-Based Rapid Fundamental Comprehensive
Bad Host Header Value The system detects a non-RFC header value that can leave the application vulnerable to an XSS attack. Enabled Enabled
Bad HTTP Version The system enforces a legal HTTP version to prevent weaknesses from older protocols. Enabled Enabled Enabled Enabled
Bad Multipart/Form-Data Request Parsing The system checks whether a header with includes multipart/form-data contains the proper formatting. Enabled Enabled
Bad Multipart Parameters Parsing The system checks various parameters in a multipart header to ensure proper formatting. Enabled Enabled
Body in GET or Head Requests The system checks if GET and HEAD requests contain a body.
Check Maximum Number of Cookies The system compares the number of request cookies to the maximum configured value. Enabled - Max 50 Parameters
Check Maximum Number of Headers The system compares the number of request headers to the maximum configured value. Enabled - 100 Max Parameters Enabled - Max 100 Parameters
Check Maximum Number of Parameters The system compares the number of request headers to the maximum configured value to prevent vulnerabilities on the server parser. Enabled - 100 Max Parameters Enabled - Max 500 Parameters
Chunked Request with Content-Length Header The system checks for the RFC violation of a request containing both a content-length header and a chunked request. Enabled Enabled
Content Length Should be a Positive Number The system checks that the content-length header is greater than zero (a positive number). Enabled Enabled
CRLF Characters Before Request Start The system checks for the RFC violation of a CRLF character before the request method. Enabled Enabled
Header Name with No Header Value The system checks for a header name without a header value, which can lead to logical flaws in the application and web server. Enabled
High ASCII Characters in Headers The system checks for high ASCII character in the header to prevent potential attacks. Enabled
Host Header Contains IP Address The system checks the request host header value for IP addresses to prevent internet worms.
Multiple Host Headers The system checks for multiple host headers, which can be used to evade application security. Enabled Enabled
No Host Header in HTTP/1.1 Request The system checks requests using HTTP/1.1 for a host header, which is an RFC compliance standard. Enabled Enabled
Null in Request The system checks for a NULL character in the requests (excluding NULL in the binary part of a multipart request), which indicates an attack. Enabled Enabled Enabled Enabled
Post Request with Content-Length:0 The system checks RFC compliance of a POST request by examining content length (greater than 0) and if the request is chunked.
Several Content-Length Headers The system checks for multiple content-length headers, which indicate an HTTP response splitting attack. Enabled Enabled Enabled Enabled
Unparsable Request Content The system detects whether the parser can parse a message. Enabled Enabled Enabled Enabled

Evasion Technique Violation Protection

For management see Evasion Techinique Violation Protection

Evasion Technique Violation Description Rating-Based Rapid Fundamental Comprehensive
Apache Whitespace The system detects URI characters: 9 (0X09), 11 (0X0B), 12 (0X0C), 13 (0X0D). Enabled
Bad Unescape The system detects illegal HEX encoding and reports unescape errors. Enabled
Bare Byte Decoding The system detects ASCII bytes greater than 127 to detected violations that hid attacks, such as XSS. Enabled
Directory Traversals The system detects directory transversals in the URL which are used to bypass the web server root and request various resources. Enabled
IIS Backslashes The system detects and normalizes backslashes into slashes, allowing for further processing and detection of directory transveral. Enabled
IIS Unicode Codepoints The system detects and maps IIS specific non-ASCII codepoints that can be used to hide attacks. Enabled
Multiple Decoding The system decodes URI and parameters values the specified number of times before the request is reported as an evasion violation. Enabled - 2 Max Decoding Passes
Multiple Slashes The system checks that the URL does not contain more than one slash between segments.
Semicolon Path Parameters The system detects unencoded semicolons in the URL that potentially hide attacks.
Trailing Dot The system detects and normalizes trailing dots in the URL that potentially hide attacks.
Trailing Slash The system detects a slash at the end of URL that potentially hide attacks.
%U Decoding The system decodes Microsoft %u unicode in requests to detect an attack. Enabled

Data Guard violations

For management see Data Guard

Data Guard Violation Description Rating-Based Rapid Fundamental Comprehensive
Data Guard: Information leakage detected The policy examines responses and detects possibility for information leakage. Alarm Alarm & Block Alarm & Block Alarm & Block

CSRF violations

For management see CSRF Protection

CSRF Violation Description Rating-Based Rapid Fundamental Comprehensive
CSRF attack detected The WAF policy ensures the request is legitimate and comes from the application itself and not from a clicked link, embedded HTML, or JavaScript that resides on another application. Alarm Alarm & Block Alarm & Block Alarm & Block

SSRF violations

For management see SSRF Protection

SSRF Violation Description Rating-Based Rapid Fundamental Comprehensive
SSRF attack detected The WAF policy handles a request for server-side access to a disallowed host. Alarm Disabled Alarm & Block Alarm & Block

Brute force violations

For management see Brute force attack protection

Brute Force Violation Description Rating-Based Rapid Fundamental Comprehensive
Brute Force: Maximum login attempts are exceeded The number of times the user tried to log on to a URL is more than what is allowed by the security policy. This indicates an attempt to access secure parts for a website by guessing usernames and passwords. Alarm & Block Alarm & Block Alarm & Block Alarm & Block

File type violations

For management see Manage File Types

File Type Violation Description Rating-Based Rapid Fundamental Comprehensive
Illegal file type The file type is valid according to the security policy. Alarm & Block Disabled Alarm & Block Alarm & Block
Illegal URL length The requested URL that includes a file type does not exceed length according to the security policy. Alarm & Block Disabled Alarm & Block Alarm & Block
Illegal request length The length of the request that includes a file type does not exceed request length according to the security policy. Alarm & Block Disabled Alarm & Block Alarm & Block
Illegal query string length The length of a query string in a request that includes a file type does not exceed request length according to the security policy. Alarm & Block Disabled Alarm & Block Alarm & Block
Illegal POST data length The POST data length for a request that includes a file type does not exceed request length according to the security policy. Alarm & Block Disabled Alarm & Block Alarm & Block

URL violations

For management see Manage URLs

URL Violation Description Rating-Based Rapid Fundamental Comprehensive
Illegal URL The WAF policy verifies that the requested URL is configured as a valid URL, or not configured as an invalid URL according to the security policy Alarm Disabled Disabled Alarm & Block
Illegal meta character in URL The WAF policy verifies that the incoming requested includes a URL that only contains meta characters defines as allowed in the security policy. This enforces a defined set of acceptable characters. Alarm Disabled Disabled Alarm & Block

Method violations

For management see Manage HTTP Methods

Method Violation Description Rating-Based Rapid Fundamental Comprehensive
Illegal Method The WAF policy verifies that the request includes an HTTP method found in the security policy. GET and POST methods are always allowed. Alarm Alarm & Block Alarm & Block Alarm & Block

Host name violations

For management see Manage Host Names

Method Violation Description Rating-Based Rapid Fundamental Comprehensive
Mismatched host name The WAF policy verifies that the host name included in the request line is different from the host name in the header field. Alarm Alarm & Block Alarm & Block Alarm & Block
Illegal host name The WAF policy verifies that the hostname is configured to the policy. If not, the request includes an illegal host name violation. Disabled Disabled Disabled Disabled

Parameter violations

For management see Manage Parameters

Parameter Violation Description Rating-Based Rapid Fundamental Comprehensive
Illegal parameter The system detects that every parameter in the request is defined in the WAF policy. Disabled Disabled Disabled Alarm & Block
Illegal parameter location The system detects an input violation for the parameter. Disabled Alarm & Block Alarm & Block Alarm & Block
Illegal dynamic parameter value The parameter value in the request is equal to the value set in the server. Disabled Disabled Disabled Alarm & Block
Disallowed file upload content detected The system checks that the file upload content is not a binary executable file format. Alarm & Block Alarm & Block Alarm & Block Alarm & Block
Illegal empty parameter value The system checks that the request contains a parameter value if the policy requires the parameter to contain a value Disabled Disabled Disabled Alarm & Block
Illegal repeated parameter name The system detects multiple parameters of the same name in a single request. Disabled Disabled Disabled Alarm & Block
Null in multi-part parameter value The system detects whether a multi-part request has a null character. Disabled Disabled Disabled Alarm & Block